Re: [ga] Opposed to VeriSign's proposed com/net Anti-Abuse Policy, due to lack of due process

[George Kirikos <gkirikos@xxxxxxxxx>]

Just to followup, consider how poorly and broadly the language has been drafted 
defining "malware".


--- begin definition ------
"Malware" means any programming (code, scripts, active content, or other 
computer instruction or set of computer instructions) designed, or is intended, 
to (a) block access to, prevent the use or accessibility of, or alter, destroy 
or inhibit the use of, a computer, computer program, computer operations, 
computer services or computer network, by authorized users; (b) adversely 
affect, interrupt or disable the operation, security, or integrity of a 
computer, computer program, computer operations, computer services or computer 
network; (c) falsely purport to perform a useful function but which actually 
perform a destructive or harmful function or perform no useful function but 
consume significant computer, telecommunications or memory resources; (d) gain 
unauthorized access to or use of a computer, computer program, computer 
operations, computer services or computer network; (e) alter, damage, 
destroy, monitor, collect or transmit information within a
 computer, computer program, computer operations, computer services or computer 
network without the authorization of the owner of the information; (f) usurp 
the normal operation of a computer, computer program, computer operations, 
computer services or computer network; or (g) other abusive behavior. Malware 
includes, without limitation, various forms of crimeware, dialers, disabling 
devices, dishonest adware, hijackware, scareware, slag code (logic bombs), 
rootkits, spyware, Trojan horses, viruses, web bugs, and worms."
----- end definition ------

Notice the words "other abusive behavior" in item "g" -- this means that the 
definition is open-ended, leaving the classification of "abuse" entirely at 
VeriSign's discretion. Furthermore, some of the itemized "abuse" is iffy, for 
example web bugs (final sentence) are used by MANY legitimate websites, but 
VeriSign defines them as malware:

http://en.wikipedia.org/wiki/Web_bug


Super-Persistent "cookies" (perhaps via flash) are also used by many sites, as 
are regular cookies. Do those "monitor" or "collect" information? (item "e") 
Certainly, so under VeriSign's definition, they could be considered "malware".

While VeriSign's motivation is to reduce crime, it does so at the expense of 
due process. This is a Pandora's Box that shouldn't be opened without at  least 
a broad public consultation with domain name registrants, so that the 
implications of it can be carefully examined.

Sincerely,

George Kirikos
http://www.leap.com/


----- Original Message -----
From: George Kirikos <gkirikos@xxxxxxxxx>
To: GNSO GA Mailing List <ga@xxxxxxxxxxxxxx>
Cc: 
Sent: Monday, October 10, 2011 10:26 PM
Subject: [ga] Opposed to VeriSign's proposed com/net Anti-Abuse Policy, due to 
lack of due process 


Hi folks,

VeriSign has submitted an application to ICANN for an Anti-Abuse policy for 
com/net domain names:

http://www.icann.org/en/registries/rsep/#2011008


We oppose that application, as it does not provide any due process to domain 
name registrants. VeriSign would become the judge, jury and executioner, able 
to suspend or delete domain names that are allegedly "abusive".

VeriSign even recognizes that legitimate domain names will be affected. To 
attempt to mitigate these "false positives", VeriSign proposes that 
legitimate registrants would only be able to protest *after* VeriSign has 
already taken action. Such action would have already damaged the innocent 
registrants and their users.

This is counter to the domain name registrants' rights to due process. Instead, 
VeriSign should be compelled to prove the alleged abuse in an appropriate legal 
forum (e.g. a court), where the registrants can face their accuser, before 
being allowed to suspend or delete a domain name.

If ICANN is going to permit this policy to go forward without due process 
changes, VeriSign should be required to carry liability insurance in the amount 
of $100 million for each act of suspension/deletion. This would allow 
registrants to recover financially in the event that VeriSign is found guilty 
of suspending/deleting a domain name that was not in fact "abusive."

Sincerely,

George Kirikos
http://www.leap.com/